Managing Risk the Smart Way

Which risks can be managed using a compliance model vs. which risks need other approaches? Robert Kaplan and Anette Mikes provide a framework in a great Harvard Business Review article.

In their HBR article, “Managing Risks: A New Framework,” Kaplan and Mikes say: “risk management is too often treated as a compliance issue that can be solved by drawing up lots of rules and making sure that all employees follow them.”

But rule-based risk management misses many kinds of risks that organizations face. So Kaplan and Mikes developed a framework “that allows executives to tell which risks can be managed through a rules-based model and which require alternative approaches.” Their research identifies three categories of risk:

  • Preventable risks. “These are internal risks, arising from within the organization, that are controllable and out to be eliminated or avoided.” These include illegal, unethical, or inappropriate actions (such as the recent GSA conference scandal), as well as breakdowns in operational processes. In the federal government, these are typically covered by internal control schemes. The authors say these kinds of risks are “best controlled through active prevention: monitoring operational processes and guiding people’s behaviors and decisions toward desired norms.” This can be done via rule-based compliance approaches.
  • Strategic risks. These are different from preventable risks because they are not necessarily undesirable. For example, developing a satellite-based air traffic control system may be seen as taking a strategic risk over the proven, ground-based radar-controlled air traffic control system. The authors say “Strategy risks cannot be managed through a rules-based control model. Instead, you need a risk-management system designed to reduce the probability that the assumed risks actually materialize and to improve the company’s ability to manage or contain the risk events should they occur.”
  • External risks. Organizations cannot prevent external risks from happening. So managers need to forecast what these risks might be and develop ways to lessen their impact. They cannot be avoided, only managed. The model for addressing external risks is the use of “open and explicit risk discussions,” the authors say. The format might be war gaming (for near-term issues) or scenario analyses (for longer-term issues).

The authors observe that “each approach requires quite different structures and roles for a risk-management function.” Many organizations tend to label and compartmentalize their risk management functions along business lines (credit risk, operational risk, financial risk) and this “inhibits discussion of how different risks interact.” They say that one way to provide this integrative approach is to anchor their discussions in their existing strategic planning functions, in part because that function already serves as an integrative function in most large organizations.

The authors conclude that most organizations discount the role of risk management because it is “nonintuitive; it runs counter to many individual and organizational biases. . . .Risk management focuses on the negative . . It runs exactly counter to the ‘can do’ culture most leadership teams try to foster when implementing strategy.”

Interestingly, many federal agencies tend to emphasize risk avoidance and the rules-based compliance approach. However, the concept of risk management is beginning to take root. Here are some related IBM Center reports that roughly address the three models outlined by Kaplan and Mikes:

Strengthening Control and Integrity: A Checklist for Government Managers, by James Bailey.

Strategic Risk Management in Government: A Look at Homeland Security, by David Schanzer, Joe Eyerman, and Veronique de Rugy

Managing Risk in Government: An Introduction to Enterprise Risk Management, by Karen Hardy

Leave a Comment


Leave a Reply

Josh Nankivel

All this may lead to what I see sometimes – a highly documented and yet still vague approach to risk management.

The biggest problem I see with agencies and organizations who are actually giving it a shot is the lack of specific definition of the risks they are identifying in the first place, and vague mitigation plans in response to these risks.

These factors combined with the day-to-day priorities we all deal with mean that very little real action takes place. The risk register becomes “something to watch” instead of a list of actively managed risks.

John Kamensky

Hi Josh — The best example of thoughtful risk mitigation happened when the Recovery Act was being implemented. OMB’s guidance required agencies to identify specific kinds of risk and develop strategies to mitigate them for each of the more than 200 programs funded under that Act. And the plans were prioritized according to the level of risk they posed, then that’s where the attention was focused.